C HANGES IN A UDIT R EGULATION AND P RACTICE

The following section presents an overview of the development of audit regulation and practice. Such an overview is important for understanding the context in which prior internal

TP

13

PT Similar requirements exist in the US for the audit of non-public companies through requirements in Statements on Auditing Standards (SAS) issued by the Audit Standard Boards (ASB).

control judgment research was conducted, and it may be interesting in its own right. The overview therefore starts with the time of the first internal control judgment studies in the

Reliability for Statistical Sampling in Auditing. The overview therefore assumes that the model was known to auditors 1970’s and comments on the most important subsequent changes.

The audit risk model (ARM) was originated in the 1950’s (Bell and Wright 1995), and it appeared in audit regulation for the first time in equation form in 1972 in Appendix B of AICPA Statement on Auditing Procedure No. 54 Precision and

and audit researchers at the time of Ashton’s study of internal control judgments in 1974. In the overview, focus is therefore on regulatory and practice development relevant to control risk judgments. The overview will seek to provide insight into the following questions: First, did auditors in the early 1970’s test internal control effectiveness or just evaluate design? If they only evaluated design, when did auditors start testing controls? Second, how has the extent of testing changed over time? Third, what changes have occurred in terms of the kinds of controls assessed; transaction level controls versus higher level controls such as the control environment, management controls and company level controls? Fourth, when did auditors start adopting a top-down audit approach (i.e., focus on risk management and company level controls before continuing with transaction level controls)?

Early 1970’s – Limited control focus

Although the audit risk model was known to auditors (at least) since 1972 (through SAP 54, AICPA 1972), the model first became mandatory in 1984 with the issuance of SAS 47 (AICPA 1983). When did auditors start using the model and perform control risk judgments?

although the inverse relationship between control work and substantive work had been It is reasonable to assume that the model was generally used, at least, from 1984. However, there is no clear record of exactly what practice was regarding the use of the audit risk models model’s concepts prior to 1984 (POB 2000, appendix A para 13-14). Generally, around since before the 1970’s, it was believed that audits tended to be conducted using a variety of substantive testing approaches with less reliance on judgments about control risk (ibid). This may be due to the audit risk model permitting defaulting to an assumption that control risk is maximum (ibid). Such a default assumption permits ignoring internal controls

and jumping directly to substantive audit procedures, which may be a more efficient audit approach.¹⁴ This general picture is confirmed through the descriptions of the role of internal controls in auditing found in early audit research and current audit research describing the period (e.g., Ashton 1974, Joyce 1976, Heier et al. 2005).

At the time of Ashton’s study of internal control judgment in 1974, the characteristics of sound internal control were, according to Joyce (1976) well defined, and presumably widely

view and evaluate internal control for audit planning purposes (Ashton 1974):

ew is to enable the auditor to determine the particular auditing procedures to be applied, the timing of those procedures, and the extent known. According to Heier et al. (2005) there was, however, no uncontroversial definition of internal control, and disagreement existed about the differentiation between accounting and administrative controls. Early research applied tasks with transaction level controls (Trotman and Wood 1991), and not management level controls. It is therefore not unreasonable to assume that agreement existed about characteristics of sound transaction level internal controls, and that the potential disagreement regarded the more complex management level controls.

In the early 1970’s, the auditor was required to re

“The primary purpose of the internal control revi

of their application.” (…) "There is to be a proper study and evaluation of the existing internal control as a basis for reliance thereon and for the determination of the resultant extent of the tests to which auditing procedures are to be restricted." (Ashton 1974, citing the second standard of fieldwork at the time)

The auditor thus documented and evaluated internal controls. However, although the auditor may have conducted control tests in order to perform a “proper study”, such testing did,

system, regardless of the controls actually employed or the evidence gathered to evaluate them.” (Ashton 1974)

according to Ashton, not seem to have been performed for control risk reduction:

“The audit is conditioned by the auditor's judgment of the strength of the internal control

14 Such an approach may have been difficult for large companies such as multinational clients, even prior to the 1970’s.

Some audits, especially for large companies, may therefore have included control testing.

Ashton (1974) furthermore provides an insight into the focus regarding internal controls:

“In the evaluation of a client's system of internal controls, auditors typically concentrate upon individual internal control "subsystems, for example, cash receipts, inventories, etc.”

Although the picture of audit practice in the early 1970’s is somewhat unclear (POB 2000, . Controls were assessed for planning purposes (i.e., to determine the extent of substantive appendix A para 13-14), the following overall conclusion is drawn: The auditor had a very narrow interpretation of risk and control, focusing on accounting error (Knechel 2007) procedures) (Joyce 1976; Knechel 2007). Focus was on transaction level subsystems and very detailed process controls (Joyce 1976; Knechel 2007). Although it might have been good practice to test controls in order to reduce the extent of substantive procedures, there is no clear evidence that this was the case. It can therefore not be ruled out that it was sufficient for the auditor to assess control design in order to reduce substantive testing (Ashton 1974).

There is no indication of auditors using a top-down audit approach.

The 1970’s and 1980’s

The late 1970’s and 1980’s saw significant changes in audit and internal control regulation.

These changes affected the definition of internal control, the client’s responsibilities, and the auditor’s responsibilities.

luding a system of internal control over financial reporting.

Although the act did not change the basic AICPA definitions of internal control, it put

model (ARM) first appeared in equation form in 1972 in Appendix B of AICPA Statement The first major change for companies came through the Foreign Corrupt Practices Act in 1977, which required management to develop and implement systems of internal control to reduce various risks, inc

internal control on the corporate agenda (Heier et al. 2005). Further guidance was developed in 1977 when the AICPA formed a committee to provide guidance on internal control that would benefit management, boards of directors and other parties: Report of the Special Advisory Committee on Internal Accounting Control (AICPA 1979). Based on these two developments it is reasonable to assume that internal control systems became more structured in client companies, and that some form of holistic management level control appeared.

Soon after, the audit risk model became more prominent in audit regulation: The audit risk

on Auditing Procedure No. 54 Precision and Reliability for Statistical Sampling in Auditing (AICPA 1972). The Auditing Standards Board later included a similar equation in SAS No.

39 Audit Sampling (AICPA 1981). With SAS No. 47 Audit Risk and Materiality in

tanding of internal control adequate for planning the audit. It is therefore reasonable to assume that at this point, Conducting an Audit (AICPA 1983), use of the model became mandatory (POB 2000, appendix A para 13). It is therefore reasonable to assume that auditors started assessing control risk more formally sometime before the mid 1980’s. This implied that the auditor could assess control risk at a lower level, below the maximum, by: (1) identifying specific controls that are likely to prevent or detect material misstatements relative to specific aspects of the financial statements, and (2) performing tests of those controls to evaluate their effectiveness. When auditors “relied” on controls in an area, it therefore meant that they had assessed control risk below the maximum level and had tested the effectiveness of those controls. If one accepts that, at the time of Ashton’s 1974 study, the extent of substantive testing could be reduced based on control design evaluation alone, the SAS 47 requirement for testing was a significant development. The default solution of setting control risk to maximum and not relying on internal control was, however, still permitted. It is therefore, due to efficiency considerations, not given that controls were always relied upon even though effective controls may have been in place in companies.

SAS 55 Consideration of the Internal Control Structure in a Financial Statement Audit.

(AICPA 1988) changed the definition of internal control and identified three elements of control: (1) Control Environment (2) Accounting System and (3) Control Procedures.

Furthermore SAS 55 required the auditor to obtain an unders

auditors had started assessing the design of management level controls such as the control environment. The auditor’s responsibility was, however, primarily limited to evaluating

“accounting controls”, and “management level controls” were to be considered only to the degree that they had importance for financial statements (Heier et al. 2005). Furthermore, obtaining an understanding of internal control does, however, not require the auditor to reach any conclusions about the effectiveness of internal control. SAS 55 did therefore not always require testing the effectiveness of internal control. However, if control risk was to be reduced, testing of effectiveness was required.

Approaching 1990 it is therefore reasonable to assume that the importance and extent of internal controls within companies had increased. Furthermore auditor’s approach to internal

controls had changed in three ways since the early 1970’s: First, since firms had more controls, the auditor was presumably required to understand more controls for planning purposes. Second, the control environment was assessed in addition to the usual transaction level controls. Third, testing of control effectiveness was clearly required if controls were relied upon.

1990’s – accelerating pace of change

In the 1990’s the development of internal control relevant regulation accelerated. SAS 55 had been criticized for being difficult to apply in practice (Heier et al. 2005). As a response to this, and to other criticisms, COSO, which was heavily influenced by auditors, released Internal Control – an Integrated Framework (COSO 1992).¹⁵ The purpose of the report was ponents and provide criteria and materials for

d that they became better structured.

and control (ibid), focusing more on company level controls and operational controls.

to define internal control, describe its com

evaluating internal control systems. The report thus provided an internationally accepted framework for designing and evaluating internal controls, focusing on defining internal controls as a process and including management level components such as risk management and monitoring.

The COSO dimensions and components of internal control and risk management became something that all businesses were expected to pursue as part of their operations (Knechel 2007). It is therefore reasonable to assume that the extent of company level controls in client firms increased an

With the issuance of the COSO report (1992) the auditor’s concept of risk and control changed (Knechel 2007). Auditors were presented with a definition of risk and control that reflected much more than accounting errors (ibid). Auditors may therefore have adopted a broader view of their responsibilities for evaluating risk

15 The Committee of Sponsoring Organizations of the Treadway Commission (COSO), is a U.S. private-sector initiative, formed in 1985. COSO is sponsored and funded by 5 main professional accounting associations and institutes; American Institute of Certified Public Accountants (AICPA), American Accounting Association (AAA), Financial Executives Institute (FEI), The Institute of Internal Auditors (IIA) and The Institute of Management Accountants (IMA). Furthermore, the COSO “Internal Control – Integrated Framework” (1992) was authored by Coopers and Lybrand. COSO is, and was, therefore heavily influenced by auditors.

The COSO framework was embedded in U.S. audit standards in 1995 through SAS 78 Consideration of the Internal Control Structure in a Financial Statement Audit: An Amendment to SAS No 55 (AICPA 1995). With this standard, the definitions, dimensions and components of internal controls in the COSO report (1992) were formally recognized in

ness of controls, and the default solution of setting control risk to maximum was still possible. International

e costs in the audit process due to competition (Knechel 2007). This resulted in an implementation

“Anecdotal and other evidence indicates that many (but by no means all) audits continued risk model.” (POB 2000, appendix A para 14)

y companies now grew to a size where substantive audit procedures were neither effective nor audit regulation. It is therefore reasonable to assume that company level controls such as the control environment, monitoring and risk management were now a general part of the audit.

The POB report (POB 2000, para 2.67), provides evidence that, at least, the control environment was generally assessed in audits at the end of the 1990’s.

However, SAS 78 still only required that the auditor understand internal control sufficient to plan the audit and to evaluate whether such controls were suitably designed and placed in operation. There was still no requirement to test operational effective

auditing standards at that time had similar requirements as SAS 78. It is therefore reasonable to assume that international audit approaches were similar to those found in the U.S.

How were the auditors handling the changes in regulation, practice and the general business environment? The 1980’s saw rapid growth of audit practices due to deregulation, expansion of the professional pool, improvements in technology and a perceived need to reduc

of highly structured and formalistic audit processes (i.e., audit structure) that were intended to reduce the risk of serious judgment errors, reduce costs and increase judgment consistency (ibid). This development may have contributed to improved, better documented and more consistent judgments in audit firms.

However, according to the Public Oversight Board (POB), substantive procedures were still the dominating audit approach (POB 2000, para 275):

to be performed using substantive testing approaches with little or no attention paid to the results of the risk assessments called for by the audit

Furthermore, the 1980’s 1990’s were a period of globalization and growth, and man

efficient (POB 2000, Knechel 2007). The traditional substantive audit approach therefore started running into problems (Knechel 2007):

cted without sufficient consideration being given to the risk assessment process and that they consequently lacked in both effectiveness

audit process (Knechel 2007).

ort (ibid).

Into the 1990’s, the development of the business risk audit (or strategic systems audit)

“Assessing control risk below the maximum level and relying on controls to reduce detailed

areas, controls usually were not relied on in lieu of detailed tests”. (POB 2000, para 2.71)

and other management controls, the link between risk, controls and substantive testing and

“The sheer volume of transactions processed by client organizations, the fast pace of technological developments affecting client organizations and audit firms alike, and economic constraints on the ability of audit firms to recover rising costs (…) led some firms to conclude that many audits were being condu

and efficiency.” (POB 2000, appendix A para 15)

While audit regulation was open for extensive control reliance, both at the transaction level and regarding company level controls, such an approach was not generally adopted by audit practice (POB 2000, para 275). However, the increasing recognition of problems with audit effectiveness and efficiency led to a redesign of the

In the late 1980’s audit firms started (1) recruiting better educated and more mature staff, (2) placing more focus on tests of controls and analytical procedures, and (3) developing audit programs for audit testing based on more comprehensive risk assessment procedures (ibid).

This development continued in the 1990’s due to the introduction of the COSO rep

increased focus on risk and control further (Knechel 2007; Peecher at al. 2007), resulting in a more cost efficient audits with less reliance on substantive procedures (Knechel 2007).

The traditional substantive audit approach had, however, far from disappeared. The 2000 report of the POB Panel on Audit Effectiveness (POB 2000) noted that auditor’s evaluations of internal controls generally were quite limited.

substantive audit tests were found to be somewhat uncommon, particularly for small and medium-sized entities. Testing and relying on specific application controls were more common on larger engagements. In high-risk key

Furthermore several problems were identified regarding the sufficiency of the depth of the auditors understanding of internal control, the extent of reliance on the control environment

several other issues (POB 2000, para 2.77). The POB panel report (POB 2000) therefore sparked a process of regulatory change around the turn of the millennium.

2000 – ISA risk standards, SOX 404 and further COSO development

Based on the POB report (POB 2000), the IAASB and the AICPA formed the Joint Risk Assessment Task Force, with the mandate of updating audit standards governing the use of the audit risk model. This resulted in the IAASB issuing the “risk standards” in 2003.¹⁶ The purpose of the risk standards was to “increase audit quality as a result of better risk assessments through a more detailed understanding of the entity and its environment, ocedures to

ng, risk assessment and the control environment. Second, it was required that the auditor assess both risk of material misstatements, control design and whether controls were

internal control over financial reporting at year end, and that the auditor attests to the accuracy of its report. The Act thus

including its internal control, and improved design and performance of audit pr

respond to assessed risks of material misstatements” (Project History: Audit Risk, IAASB 2008).

For internal control judgments the risk standards had the following effect: First, the requirement for understanding the business, its risks and its controls was expanded and specified in detail through extensive guidance based on the COSO Integrated Framework (COSO 1992). This guidance results in an increased focus on company level controls such as monitori

implemented. Third, control design evaluations had to be performed for all significant risks (ISA 315.113 IFAC 2008) and for risks where substantive procedures were insufficient (ISA 315.115 IFAC 2008). Fourth, documentation requirements were increased. Similar requirements were introduced in the U.S. with AU 319 (AICPA 2002) and AU 314 (AICPA 2008), apart from the requirement regarding significant risks.

At the time of the issuance of the risk standards exposure drafts in 2002, the financial scandals at the turn of the millennium were taking place (e.g., Enron, Ahold). The U.S.

responded to the scandals, and the content of the POB report (POB 2000), through the Sarbanes-Oxley Act (2002). This was a major change in regulation. Section 404 of the Act required that management report on the effectiveness of its

16 The “risk standards” refer to ISA 315, ISA 330 and ISA 500. These standards replaced ISA 310, ISA 400 and ISA 401 as of 2004.

introduced a requirement an audit of internal control over financial reporting. The act furthermore introduced a separate judgment about an overall effectiveness of internal controls (i.e., material weaknesses in internal control or not). Prior to the Act, no overall judgments had been made regarding internal controls in a financial statement audit. Detailed requirements for the audit process were issued in AS2 (PCAOB, 2004) and AS5 (PCAOB, 2007). The main difference between AS2 and AS5 is that the latter emphasizes a top-down audit approach starting with risk management and entity level controls.

The act also, presumably, had a large impact on the extent and quality of internal control over financial reporting within client firms. This, together with the extensive auditor testing of internal control, facilitated the possibility of more reliance on controls in an audit of financial statements. A major change in audit strategy was therefore presumably taking place, with more controls reliance.

The ISA risk standards, SOX regulation and general pressure on auditors due to the financial scandals, litigation risk and reputation risk thus caused a tremendous effort on the part of the auditor regarding internal control assessments (Heier et al. 2005, Knechel 2007). Both under the IAASB (i.e. ISA) and the PCAOB regime much more focus was put on entity level controls and control design evaluations, and control testing increased vastly - obviously most in the U.S. were a full audit of internal control over financial reporting was mandatory (i.e.,

The ISA risk standards, SOX regulation and general pressure on auditors due to the financial scandals, litigation risk and reputation risk thus caused a tremendous effort on the part of the auditor regarding internal control assessments (Heier et al. 2005, Knechel 2007). Both under the IAASB (i.e. ISA) and the PCAOB regime much more focus was put on entity level controls and control design evaluations, and control testing increased vastly - obviously most in the U.S. were a full audit of internal control over financial reporting was mandatory (i.e.,

In document Cue combination in auditor's internal control judgments (sider 36-50)